When it comes to protecting our personal and financial data online, the Australian solution – of cutting off users who fail to maintain their PC security - may have a lot of appeal.
But in the week when UK consumers are asked to turn their minds to questions of online safety, the real focus may need to be not so much on …

COMMENTS

Personally,

I don't do business with companies that treat me as if I were a criminal.

And I vote against any politician who makes the same assumption.

Yeah, I know, I'm probably tilting at windmills again ... The GreatUnwashed[tm] are not only incapable of, but have no interest in maintaining their own personal freedoms. That's why Western politics and Eastern dogma cow their respective populations as easily as they do.

Wow!

I would very much like to know how you manage in the modern world using cash only. I have yet to find a bank that doesn't treat fraud victims as being responsible for the fraud - I would expect to find a tooth fairy before finding a bank that treats fraud victims fairly!

@GettinSadda &@AC 21:54

I use a small local Credit Union for most of my day-to-day banking. I'm on a first-name basis with most of the employees. They always assume that it's their fault when I have issues ... because to date, in the last 25+ years, it always has been (key-punch errors, mostly ... hey, they are only human!).

And as a side-note, going in with a smile, a PleaseAndThankYou[tm], and the attitude of "I don't know if you can help me, let's find out!" when you discover an error helps keep 'em on your side ... if you come storming in, looking for blood, you'll only piss 'em off. Same is true when dealing with customer service in almost all walks of life. It's basic social engineering, innit.

AC: No, I haven't been a victim of fraud. But then, I'm no fool, and take steps to minimize my publicly facing personal info ... especially online. Even back when I was at Uni, long before TCP/IP existed, I used the pseudonym "...!stanford!sail!vax!jake" to keep my identity to myself. (Actual bang path address simulated to protect the guilty; I'm archived at DejaGoo under the original ::wry grin::)

Requiring you to be a responsible adult?

Cutting off someone whose computer is being used as a host by virii and criminal third parties isn't treating the owner as a criminal. It's just forcing him to do what he ought to want to do if he's a responsible adult who is made aware of the problem with his system.

The obvious precedent is the MoT test for cars. You are not allowed to drive around in an untested vehicle, or in one that has tested unsafe. That's because it's not just yourself that you are putting at risk, it's also everyone else on the roads and pavements. Likewise, unsafe computers on the information superhighway.

The thing that worries me is who sets the standards. I'm quite certain that Microsoft is planning to sneak something in, which the open source community cannot comply with. "Must have working X", where X is proprietary Microsoft technology. A car equivalent might be requiring all cars to have a working petrol-vapour recovery system ... including diesel, LPG and electric ones!

ISP Acceptable Usage Policies (AUPs)

This should be seen as a civil law (i.e. contractual) matter between an ISP and their customer, which the customer agrees to as a condition of using a service provided by the ISP. If you read a few of these you will see that they all attempt to prevent the customer from using the connection for sending out spam or UBE (Unsolicited Bulk Email).

ISPs all have such AUP provisions, but take different responses to this issue in practice, with some rate limiting their own email smart hosts and others going further by also blocking port 25 connections from clients within their network to anything other than their own smart host. Anyone who wants to bypass them on such a network should operate their own smart host on port 587 which ISPs should not block - the external smart host and network provider have to establish and maintain their own external reputations to avoid DNS blacklisting.

The reason ISPs do this is because no ISP is obliged to peer with them or provide upstream transit services, so ISPs providing a cover for spammers and other criminals will eventually get disconnected.

So in my view no new laws are needed, but ISPs do need to review their AUPs and enforce these. What this means is that a customer whose network is detected as a persistent source of abuse should be progressively limited in relation to outbound services, until given information on how to disinfect.

This creates an issue for someone with access to only one ISP, which in my view should operate the minimum ISP industry abuse limitation based upon peering requirements and blacklist avoidance for legitimate uninfected customers. Those with a choice of ISPs should read the AUPs and choose which one they prefer.

Microsoft?

As Windows is almost exclusively the root cause behind this problem, when can we expect to see Microsoft brought to account for the untold damage their shoddy products have caused over the past twenty plus years?

Car manufacturers, vacuum cleaner makers, just about everyone else has to act when their products are found to be demonstrably unfit for purpose - why not software suppliers?

Car manufacturers?

I don't think that a car manufacturer would be held accountable if a customer allowed their vehicle to become a death trap through their own negligence. Now if the fault is with the design that's another matter but that (to me) would be the equivalent of Microsoft shipping their software pre-infected, which to my knowledge they've not done.

I've been a Windows user for about 10 years and even as a total n00b I only ever got caught by the blaster virus and a porn dialler. I learned from each of these failures though and never fell for the traps again.

HUSH

Isn't this the norm?

In Holland, whenever a home network gets a botnet infection, it gets knocked off the main network. You can configure a proxy, allowing you html --very slowly. You can then try and sort it out; until then you are cut off from most of the internet: no BT, no mail, no ftp.

Sucks when you are the only Mac, and you have to suffer because some Windows nitwit felt the need to download some Russian subs...

Cut offs get my vote

People should not connect system to the intertubes without reasonable protections, just like they are not allowed dangerous vehicles on the road (I know how we all love our car analogies).

Obviously the ISP should provide advice (more secure OSs, antivirus, firewalls etc) and the ISP needs to take care on how they inform users (i.e. use snail mail or something) otherwise the phishers et al will spoof the mechanism to sucker more people in.

And if too much junk is detected coming from an ISP (and they aren't obviously taking action), cut that ISP off.

As for some carrot, perhaps ISPs could (with user consent) do PEN tests or something? If the user passes, then that user gets a discount or some other benefit. Although that adds to the burden on ISPs, so any saving is probably going to get swallowed by cost increases.

---

I agree totally about MasterCrap etc, their SecureCode system drives me feckin' insane. Never integrates into the site properly, so I am never 100% if it's genuine (I have actually cancelled purchases because SecureCode is so bad).

I want my £50 back

The first time I came across a site that used VillifiedByVisa it took me so long to verify that the - third party (ie. not the site I was on, Visa, or my bank) - website I was taken to was genuine, that the cost of the plane tickets had gone up by £50.

And in the process I learnt how completely pointless and, in reality, *less* secure the whole scam^W scheme is.

Safety First

No magic bullet

Much as I may prefer the relative security of the penguin to other options, one of my students once managed to configure a Linux host with a very weak password which then got compromised through SSH password guessing and which was then used as a vector to find other C&C servers, for which it seems botnet herders quite like to use Linux. I couldn't reimage that one fast enough when I found out about it. So however good the underlying system this won't protect you against sloppy systems administration.

So blaming the state of the computing security world on a single operating system is too simplistic and doesn't address the real issues. Besides, ill-thought out policies about what can be allowed onto a network and why (e.g. it must run an antivirus program which doesn't run on Linux or *BSD) are likely to discriminate unfairly against minority options.

I've seen these crazy policies applied within private networks regardless of how effective open source software package repository and supply chain quality assurance and verification mechanisms may be compared to proprietary systems where users need to download executables from untrusted 3rd party sites in order to get basic stuff done. AC, because my employer runs a network which denies 1st class access to these inherently more secure systems due to reasons which they won't discuss.

This is not difficult

1: a "simple" level of ISP monitoring. Basically, maintain a list of known and VALIDATED (as reported by the government and other security agencies) IPs and domains known to be harboring botnets, hackers, and other scams. This list should not be a "the site you;re attempting to access may be infected." This should be a "that site exists soley for scams or to infect your machine or to control bots on your computer." This should not be a list maintained independently by ISPs, but a natioal, or internationally distributed list.

If a PC on your network accesses one of those known sites on a port/protocol known associated with a virus, you get a 404 error (or equivalent) and the traffic is blocked. If you clicked a link associated with a scam, you'll get a notice on screen, another in the primary e-mail account the ISP has on file (and all other backup accounts on file), and instructions to go to your ISPs home page, log in, and read a security report (which includes NO LINKS to get there and makes clear you will never be linked to such, ever, to avoid potential abuse of this notification system.

If you clicked a link and got a notice because you tried to go to a scam site, your bad. Hopefully this will raise awareness. If you're REALLY certain the link is legitimate, you can go to your ISP home page, log in, report the URL, and request it be unblocked. Within 60 minutes, someone should do that for you, or confirm you are the victim of a scam and mistaken. If some application on your PC is trying to connect to a bot server however, we need a different response in addition to the e-mail alerts:

2: When you do something dumb, the ISP tries to protect you and gives you a warning, which if you're really dumb you can ignore and bypass by request of tech support, unless the government itself has issued a block of all traffic to that address via the courts and due process (take-down of the site, it;s not on the net anymore to reach, which should be the natural next step after a warning about not going there goes out). However, if you have a bot, often those things are moving targets. Taking down one site might not prevent alternate sites from communicating your your infection, or when international based servers are involved and take-downs take time. The ISP needs to act on behalf of others, not you.

Network quarantine, and a notice on screen if you attempt to go to any sites other than those of OS vendors, security app vendors, and sites registered with the government that can assist in virus removal. A list of these should be included in the warning (no links). If you absolutely HAVE to bypass this quarantine, there should be a link on your ISP page (after you log in) to release the quarantine for 24 hours. There should be a fee ($10?) and you can;t do this more than 3 days in a row for any reason. OR, prove to the ISP you are infection free by running an AV scan using today's latest definition pack, screen shot the results, and mail the to the helpdesk. Since this is triggered by application activity on known ports to known sites, the risk of false positive should be very very small.

Anyone on a business class connection should receive only warnings, not quarantine, but might suffer increased fees if the issue is not dealt with "swiftly" after multiple days of warnings (including a contact call).

3: "Certified internet security aware." People in the know (or who bother to GET in the know) should be able to take a simple web based exam, hosted by any of a number of certified testing centers (CompTIA, etc), to become "internet security aware", and provide that certification to their ISP, along with a screen shot of the expiration date of the AV client installed on their computer (one for each MAC address in the home), and a list of non-PC MAC addresses as well (set top boxes, NAS, etc, that might access the net for content or updates). Going through this simple process would avoid the automatic quarantine, and allow those who would prefer no disruption to services to receive only notices and not be quarantined for several days. This test, and materials to pass it, would be under $5, and would be good for 2-3 years, and be able to be passed from ISP to ISP without retaking it.

So, in summary:

1: you do something dumb, and a router alerts you there might be an infection or scam at a web site.

2: you're infected and we know it, they notify you 7 ways from Sunday and quarantine your machines until you prove clean with a scan, or pay $10/day to get online anyway for up to 3 days.

3: you certify and maintain AV on all your PCs and can avoid the quarantine complications (and extra fees if you solve the issue quick) and still get notified 7ways from Sunday if they detect activity, and could still be quarantined if you go more than 3 or 4 days without resolving the issue.

So you're forcing me to run Windows

just to prove my anti-virus is up-to-date ?

Sorry, mate, I've just spent the first half of my life under a regime telling me what to do, how to behave and even how to address people around me (I was told by law to call them comrade, it was against the law to call them Mr / Mrs.).

"you certify and maintain AV...."

Only run Linux on the machines here. There really is no anti-virus software as no Linux virus has managed to spread so no anti-virus infrastructure has developed.

Security here is all down to automatic updates, strong passwords, local and router firewalls, SSH access only to long, unusual account names with VERY long passwords and online banking, again using VERY long passwords. All of this backed-up with a little paranoia and common-sense.

Oh and a system that doesn't run executables just because you click on a link in a email or browser.

Ironic really

That you titled your post "This is not difficult" considering the numerous problems with what you have posted.

For a start, the ISPs are currently afforded common carrier status. It's not their responsibility to monitor what their users do, nor is it technically feasible (without increased costs).

Now assuming they come into some money, how do you think they're going to implement this? Hmmm maybe a single proxy for all users? Because that worked so well when the IWF tried to block a Wikipedia page.

Now lets put our tinfoil hats on. I'm big bad government minister 1. I don't like hearing how the opposition would do a better job than me. All users are going through our 'safety' filters. I might just use China as inspiration!

As for certifying and maintaining AV. Which would you accept? Can I run OSS? Can I run one I wrote myself? Who decideds which are good enough, or do we just grant a monopoly to Norton and McAfee regardless of whether they suit the users situation.

What if the 'suspicious' activity you've detected is me testing NewFadTech1? What do I do then?

Your idea just doesn't translate to meatspace, sure it'd be nice to keep bots off the net, but it's not realistic. Assuming you could successfully implement it, as an attacker I'd then be looking at things that are harder to quarantine. Why not try and take over a few routers? OK it's more work than getting average Joe to install HardcorePronJessicaSimpson.avi.exe but it's still pretty viable.

a

I'm not actually totally against this kind of thing in theory.

I think of it like a car. If you allow your vehicle to become unroadworthy you will not be allowed to drive it and may even face a fine or worse. Of course the difference is that a poorly maintained car could actually kill someone, hence why jail time or a fine is probably overkill. Suspension from the net until they get it fixed though - I could live with that.

Canada

We already have this happening in Canada. At least one major ISP that I know of (Cogeco) freezes the connections of compromised accounts on a regular basis. I have seen this in person on several business and consumer accounts of people I know. The company is apparently monitoring traffic enough to recognize spam bots, trojans and DDOS attacks originating from their customers. And so far, they seem to be pretty good at it. Each time I've been called to help out someone who has lost their connection, I have found the problem that the ISP said they had.

How do you tell?

If there are simple, transparent rules on what constitutes infection, I'm all for it. However I fear that this is not simple. From the ISPs point of view, it can be difficult to detect whether traffic is sent by a malicious program or by something completely normal. Since DDOS tools nowadays communicate via encrypted peer to peer protocols, the only workable approach by the ISP would be to block peer to peer traffic. This is not what we want. Phishing software (keyloggers etc.) work through P2P, IRC or upload things on a webhost. Only the webhost is easy to take down and if it becomes standard practice, then phishers won't use that method anymore.

I fail to see how this could work in practice. It may work for some the problems we have *now*, but if the malicious coders simply adapt to using more seemingly normal channels, ISPs don't have means to provide a technical solution. And then, when there is no clear cut case anymore, the cut off becomes arbitrary and cue the lawyers.

How do you tell?

I think you are confusing:

a . The command and control channels used by malware and criminals, which are not directly harmful to anyone other than to the real world owner (and users) of the system taken under virtual control by this means, with

b. The use to which the malware infected system is put, including fake money transfers, sending out spam email and creating high traffic levels on websites or using other protocols as part of a DDOS. Because criminals are greedy, usage b. will likely result in higher volume traffic, ( unless the infected machine is part of a very, very large and stealthy botnet, individual hosts of which are only used very lightly). Note that it is the unusual volume of activity (e.g. in relation to persistent requests for the same webpages or abnormally high outgoing email count) that makes an infected machine detectable to the ISP.

ISPs are only justified in taking down protocols (e.g. BT, IRC etc. ) typically used for C&C (relevant to activity a.) if they detect activity b. Activity b. while difficult to detect reliably, is relatively easier for an ISP to detect compared to activity a. Detecting activity b. does need some fairly advanced packet monitoring and firewall rules likely to need updating routinely, but occasional and intermittent encrypted C&C activity could be made almost indistinguishable from other traffic.

The ISPs could certainly get better at detecting malicious patterns of activity by forming better collaboration channels for data sharing with other ISPs, e.g. so information about current DDOS endpoints and attack characteristics are more widely publicised, enabling more accurate idenfication of zombies participating in DDOSs. But better data sharing requires better trust metrics amongst ISPs to enable criminal ISPs to be disconnected sooner rather than later and this hasn't proved achievable in such a rapidly expanding 'wild west' business environment.

As to transparent reporting of problems with individual hosts, spamhaus.org do a good job here (they keep between 600 and 1400 spams out of my network per week), but you only discover a problem when something gets blacklisted by them. ISPs are not transparent because they don't like to give too much information away about the details of the monitoring they are carrying out. The reasons for this reticence seem obvious; they don't want to give attackers the information needed in real time to get around their defences, e.g. by enabling attackers to slow down a DDOS to prevent this getting blocked one infected machine at a time.

@copsewood

Sorry, but I agree with the original poster in that I believe that it will be very hard for ISPs to detect the issues other than unencrypted communication which can obviously be packet inspected for malware comms. This will just lead to a whole host of disconnection notices for users who do not have malware on their machines, a nice boost for local IT shops and doubtless a few claims of Macs or Linux boxes supposedly running Windows malware.

Your statement seems to revolve around an assumption of ISPs striving for better service etc - you have obviously never lived in Australia. They would like this in part because it will give them the ability to cut off a user and still charge them. Fantastic. The bit they won't like is any setup cost.

Do not confuse laudable (but unmanageable) intentions with the utter nanny-state bullshit that flows out of Oz on a daily basis. I'm surprised that they haven't yet mandated that we all run dumb terminals connecting to sessions they host. This is a country fueled by bullshit and bureaucracy.

@Mark65

Most of the abuse coming from infected hosts is unencrypted and would make no difference if it were encrypted because encryption doesn't prevent traffic analysis. It's inherently feasible for an ISP, if knowing that an external address 1.2.3.4 is getting DDOSed right now, to measure that a host within their network requested pages from this victim 100 times in the last minute and that they are spoofing their originating IP address. It's also inherently feasible for an ISP to know that a host within its network has got itself onto various DNSBLs due to thousands of port 25 connection attempts bypassing the smart host provided by the ISP per day. I agree that compiling such metrics will cost the ISP something.

I personally am very much opposed to ISPs disconnecting or limiting customers based upon 3rd party information which they can't verify for themselves, e.g. based upon allegations of copyright infringement or on the alleged content of encrypted communications. As far as spam/UBE is concerned it doesn't matter what you or I are in favour of anyway, because ISPs which tolerate this from their customers will find other ISPs offering them much less favourable peering terms, and in extreme cases refusing to accept traffic from them.

As to whether ISPs intend to improve their services, once a market saturates (and we're nowhere near that yet) ISPs that don't improve services within a competitive environment go out of business. I've been told the ISP environment in Australia is very different from here in the UK, in the sense that you have widely dispersed populations with only 1 ISP able to offer a service (if any) across wide regions.

If your ISP is a monopolist, this imposes an entirely different set of obligations upon them than if they are one of many competing for the same customer's business. Kicking a user off the network for infringing an AUP is different if the user can go elsewhere tomorrow and can sue the previous ISP for breach of contract. If there is only 1 ISP, the terms of service and regulations to ensure fairness and non-discrimination have to become something the politicians and regulators need to get involved with to a greater and less welcome degree.

Title required

This is a tricky issue, where I work we have a system that blocks certain traffic without impacting the rest of a user's services. In extreme cases, for example, where a Zeus infection is detected; the user is completely quarantined until we have an opportunity to take a look and remove the infection. The user is then informed that they must change all of their passwords and how to maintain their PC security responsibly.

In reality, cutting people off is only going to piss people off royally. Before ISPs can even think about this approach to security they need to think carefully about how exactly they will be able to cope with the increased support associated with stamping out the dirty-ness in their network. That burden will invariably fall on the first line broadband support with confused customers demanding support.

Laughable horseshit

RE: Laughable horseshit

>> Why not just expect everybody to do their own minor medical procedures, too?

Eh ? No one is suggesting that, at all. You analogy is actually quite good, because there are defined medical conditions in most countries which are notifiable for public health reasons, and a subset of those will get you picked up and put into quarantine to protect the rest of the population.

What doesn't happen though is you getting quarantined and told to fix yourself - you get medical attention from professionals. At that point the analogy does break down, because the suggestion doesn't call for you to get professional treatment for your infected PC at public expense - you get to choose whether to fix it yourself, or if it's beyond your skills, you can pay someone to deal with it for you.

But of course, some people do do their own minor medical treatment: Got a headache ? Take an over the counter drug rather than burdening your doctor with it. Got a minor cut ? Put a sticking plaster on it, it's not grounds for A&E !

But if it's more serious than you can deal with, get a professional to deal with it.

I know of 1 ISP thats already doing this..

ADSL4Less. They kicked off our company a few years back claiming we were sending viruses etc. When we went online we had a fixed page which informed us we had to call a premium rate number to confirm the system was clean.

We are in a PC security business so our system is about as good as it can be so it was total BS that we had sent a 'virus'.

Interestingly they were never able to confirm the variant, or the alleged email that sent it - especially as I was able to provide system logs that proved that we had not sent it.

An Ounce of Prevention

ISPs have a right to restrict service to customers that use their service for illegal activity, regardless of whether the activity is intentional or not.

How about if abuse/malware is detected, redirect ALL browser requests to a page on the ISP's website that prompts for a system scan - plenty of antivirus companies already have this capability. Give them a phone number to call so they know it's legit (certain precautions will have to be taken because you know that scammers will try to duplicate this behavior).

Clean the system, turn on Windows Firewall, and it's done. Certainly the customer can't complain that their computer is now faster.

If I'm kicked off

Bloody good idea.

If you have managed to get your computer botted then it needs to be taken off the internet for the common good.

What really amazes me is how many mom&pop computers are left on, connected up to broadband 24/7. People should turn off their computers when not in use. Unpowered computers can't bot.

And don't feed me that bullshit about computers dying if turned off. That is complete crap. My small software consultancy operates from a mobile site office that gets to +35C in summer and below 0C in winter. I turn off all my computers every night (unless they are running overnight tests or big builds etc). I have 6 computers in the office and none have failed in the ten or so years I have been doing this.

You can't

You can't require that.

What you can permit or require is for the customer to clear up the mess once he is made aware of it, and to permit disconnecting him until he does.

Just like MoT testing cars. It's not an offense to drive a car that will fail its MoT in to a testing station. But when it fails, there is an obligation on its owner to get it repaired and re-tested (or scrapped)

Monitoring how

Your ISP is inherently capable of knowing if your machine is doing what a spam zombie does by monitoring internal client port 25 connections to external servers bypassing its smart host or by measuring traffic through the smart host. It is feasible that your infected computer is being used by it's controllers very lightly, but unlikely because criminals tend to be greedy, so will generally try to earn using their zombies before they have herded millions of them.

The same goes for DDOS attacks. If an ISP knows which addresses are currently in receipt of these it is inherently capable of knowing which machines within their network are sending how many packets to these victims. Since when does a legitimate user request the same webpage or site 100 times a second ?

It will happen, if you like it or not.

What is needed is to lower the potential for abuse.

First step to take is to remove any monopolies there are left. That means opening internet infrastructure to anyone willing to start a new ISP business venture, the same way phone lines have been opened for new providers.

This will not only increase competition and have a positive impact on service quality and pricing, it also ensures that ISPs have to act in their customers interest. In monopoly unfriendly environment the consumer is in fact the strongest lobby.

The phone business in those European countries where infrastructure owners are obliged to lease their lines to anyone asking for it, for a regulated, competitive price, has greatly benefited from that- at least from the consumers point of view :-)

I am aware that the same rules apply to internet lines in some countries, but by far not in all.

On this background, YES, PLEASE make sure that every machine that spews out malware traffic gets redirected to a quarantine network and will be only permitted back to join the big wide web after a proper cleanup.

There is no such thing as the right to spread malware, same as there is no such thing as the right to spread the plague. If you have a dangerous, contagious disease you will be removed from public, quarantined, and offered treatment until you are no threat to others anymore. The more this should apply to the online world where the impact on your life is much lower (at least I wouldn't file internet access into any of the first three steps of Maslow's "Pyramid of Needs")

The technology exists long time already, the problem is that ISPs are not very eager to implement it as long as they are not liable for what happens in their networks.

Once they are obliged to keep their networks clean, and the legal frameworks are building as we speak, this kind of analysis (and in a way censoring) technology will become common, if you like it or not.

I for one can't wait for it to happen.

Sure there is a potential for abuse, but I can't see how it would be any bigger than in any other aspect of economy and society as long as we have choices.